CVE-2026-27488 MEDIUM

CVE-2026-27488: OpenClaw hardened cron webhook delivery against SSRF

Vendor Openclaw

Product openclaw

Weakness CWE-918 · SSRF

Published February 21, 2026

Last update February 24, 2026

View on NVD All CVEs

CVSS base score

6.9/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L

What the vulnerability does

01Description

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/gateway/server-cron.ts uses fetch() directly, so webhook targets can reach private/metadata/internal endpoints without SSRF policy checks. This issue was fixed in version 2026.2.19.

Key dates

02Disclosure timeline

February 21, 2026 CVE published

February 24, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-27488 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/918.html

Related vulnerabilities

CVE-2026-27488: OpenClaw hardened cron webhook delivery against SSRF

01Description

02Disclosure timeline

03References

04Related CVE